By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
|
Yet another exploit to gain 'mail' privileges:
/usr/bin/mail $HOME Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2819Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
Bugtraq Database:
2001-06-05: BestCrypt Arbitrary Privileged Program Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=28202001-06-03: WebTrends Reporting Server Script Source Code Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=28122001-06-02: Qualcomm qpopper Username Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=28112001-05-31: Horde Imp Message Attachment Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=28052001-05-31: Acme.Serve v1.7 Arbitrary File Access Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2809
Bugtraq List:
SSH allows deletion of other users 'cookie' files.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.htmlYou can delete any file on the filesystem you want... as long as its called cookies. Not really a very useful bug, but could cause annoyances to people who actually like their cookies.
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
mailtool buffer overflow in $OPENWINHOME
Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.htmlrpc.yppasswdd buffer overflow
Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun HOME buffer overflow vulnerability
Status: Local SUID exploit.
Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoveryStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jun/01/01:
103640-36 SunOS 5.5.1: kernel, nisopaccess, & libthread patch
103686-03 SunOS 5.5.1: rpc.nisd_resolv patch
104220-04 SunOS 5.5.1: /usr/lib/nfs/mountd patch
104331-08 SunOS 5.5.1: /usr/sbin/rpcbind patch
104166-05 SunOS 5.5.1: /usr/lib/nfs/statd patch
Solaris 2.6, Jun/01/01:
105284-41 Motif 1.2.7: Runtime library patch
Solaris 7, Jun/01/01:
none
Solaris 8, Jun/01/01:
109279-13 SunOS 5.8: /kernel/drv/ip patch
Solaris 8_x86, Jun/01/01:
110402-03 SunOS 5.8_x86: ufsdump patch
105210-38 SunOS 5.6: libaio, libc & watchmalloc patch
105338-27 CDE 1.2: dtmail patch
105633-53 OpenWindows 3.6: Xsun patch107684-02 SunOS 5.7: sendmail patch
107709-12 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend108528-08 SunOS 5.8: kernel update patch
108875-09 SunOS 5.8: c2audit patch
108991-12 SunOS 5.8: libc and watchmalloc patch
109041-04 SunOS 5.8: sockfs patch
109234-02 * SunOS 5.8: Apache/mod_jserv patch
109279-13 SunOS 5.8: /kernel/drv/ip patch
109322-07 SunOS 5.8: libnsl patch
110387-03 SunOS 5.8: ufssnapshots support, ufsdump patch
110458-02 SunOS 5.8: libcurses patch
110943-01 SunOS 5.8: /usr/bin/tcsh patch
108529-08 SunOS 5.8_x86: kernel update patch
108992-12 * SunOS 5.8_x86: libc and watchmalloc patch
109042-04 SunOS 5.8_x86: sockfs patch
110402-03 SunOS 5.8_x86: ufsdump patch
110459-02 SunOS 5.8_x86: libcurses patch
110616-01 * SunOS 5.8_x86: sendmail patch
110899-02 SunOS 5.8_x86: csh/pfcsh patch
110944-01 SunOS 5.8_x86: /usr/bin/tcsh patch
CERT/CC Current Activity
http://www.cert.org/current/current_activity.htmlThe CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
- sadmind/IIS Worm
- Scans and Probes
Comment: I'm seeing the same activity as CERT, perhaps you should check up your systems too? See also the Tip of the Week section below.
Web Security: Apache and mod_ssl Part II - Paul Weinstein
http://www.daemonnews.org/200106/ssl_apache_pt2.htmlIn this article we'll cover the most popular open source method; Adding mod_ssl to Apache.
A Read-Only Server on a Bootable CD - Marshall Midden
http://www.daemonnews.org/200106/bootable_CD.htmlThe author describes the process for creating a customized bootable CD for both the FreeBSD and OpenBSD operating systems. The CD can then be used to run a secure server that can't be modified.
OpenBSD drops IPfilter program in licensing dispute
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO61038,00.html
http://www.bsdtoday.com/2001/June/Features495.html
http://www.newsforge.com/article.pl?sid=01/06/06/169245&mode=thread
Opera has released of version of their browser compiled for Linux under SPARC processors. There are versions dynamically and statically linked with Qt.
http://www.opera.com/download/
Paper: ICMP Usage In Scanning v3.0
http://www.linuxsecurity.com/articles/documentation_article-3115.html
A list of sysadmin tools, categorized.
http://www.ensta.fr/internet/unix/sys_admin/
The Trouble With Tripwire: Making a Valuable Security Tool More Efficient - Edward R. Arnold
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/tripwire.html
06/06/01 lkm;dtlogin
http://www.securityfocus.com/templates/archive.pike?fromthread=0&tid=189143&threads=1&list=92&end=2001-06-09&start=2001-06-03&
06/04/01 Is this normal ?
http://www.securityfocus.com/templates/archive.pike?fromthread=0&tid=188802&threads=1&list=92&end=2001-06-09&start=2001-06-03&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
RE: cisecurity audit tool vs YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00201.html
yassp status?
http://www.theorygroup.com/Archive/YASSP/2001/msg00200.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include MindTerm SSH, TCTUTILs and BIND.
Auditing and Intrusion Monitoring tools include SnortPlot, Nmap, SAINT, NEAT, NANS, Chkrootkit, PIKT, LIDS, Samhain and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, IPfilter, PacketPlot
and 2 other tools.
Tools for Linux/Unix/Cross Platform include Secure FTP, OpenCL and RSX.
Tools for Windows include AntiVir Personal Edition and Mailscanner for Postfix.Note: The new Mindterm is good, the new 'scp' GUI works well. I have problems with umlauts on Swiss-German keyboards though.
I recently had to scan a few networks to check for the existance of Sun servers which had been compromised by the above worm. More details on the worm are available on CERT. The approach used and scripts are documented here, as they may be of use to readers auditing their systems.
#!/bin/sh # /root/sean/nmap_port # Sean Boran, 16.Jun.01 port="600"; user="root"; ignore="^Port|filtered|^$|seconds to scan|Initiating" f=$0.$$; cmd="/usr/local/bin/nmap -P0 -sS -p $port"; for target in 176.17.16.0/24 176.17.17.0/24; do date > $f echo "$cmd $target" >> $f 2>&1 $cmd $target |egrep -v "$ignore" >> $f 2>&1 date >> $f mailx -s "Port $port scan $target" $user <$f # empty file for next scan: #cat $f mv $f $f.done done
Checking 193.5.227.50
RPC program 100232 is running!
program 100232 version 10 ready and waiting
#!/bin/sh # sadmin_scan # Sean Boran, 7.Jun.01 result1=$0.$$ for network in 176.17.16 176.17.17; do host=1; while [ "$host" -lt "255" ] ; do echo "Checking $network.$host" rpcinfo -u "$network.$host" 100232 > $result1 2>&1 if [ $? = 0 ] ; then echo "RPC program 100232 is running! " cat $result1 fi host=`expr $host \+ 1;` done done
A copy of the above scripts can be found on: www.boran.com/security/sp/solaris.
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.